Credential REST Reference

/credential

Methods
GET

Gets the list of Credentials.

Fields Parameter
Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

NOTE: 'typeFields' returns type-specific parameters inside of a 'typeFields." It does not consider authType, privilegeEscalation, or dbType. If requested, typeFields returns as follows:

type"database": login, password, sid, port, dbType, oracleAuthType, SQLServerAuthType
type"ssh":
authType, username, password, publicKey, privateKey, passphrase, kdc_ip, kdc_port, kdc_protocol, kdc_realm, vault_host, vault_port, vault_username, vault_password, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, thycotic_secret_name, thycotic_url, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_private_key, thycotic_ssl_verify, privilegeEscalation, escalationUsername, escalationPassword, escalationSuUser, escalationPath
type"snmp": communityString
type"windows": authType, username, password, domain, kdc_ip, kdc_port, kdc_protocol, vault_host, vault_port, vault_username, vault_password, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, thycotic_secret_name, thycotic_url, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_ssl_verify

Allowed Fields

*id
**name
**description
**type

creator
target
groups

typeFields
tags
createdTime
modifiedTime
canUse
canManage

Session user role not "1" (Administrator)

owner
ownerGroup
targetGroup

Legend

* = always comes back

** = comes back if fields list not specified on GET all
Request Parameters

None

Filter Parameters

usable - The response will be an object containing an array of usable Credentials. By default, both usable and manageable objects are returned.
manageable - The response will be an object containing all manageable Credentials. By default, both usable and manageable objects are returned.

Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"usable" : [
			{
				"id" : "1000001",
				"name" : "Test",
				"description" : "",
				"type" : "ssh"
			},
			{
				"id" : "1000002",
				"name" : "test",
				"description" : "",
				"type" : "ssh"
			}
		],
		"manageable" : [
			{
				"id" : "1000001",
				"name" : "Test",
				"description" : "",
				"type" : "ssh"
			},
			{
				"id" : "1000002",
				"name" : "test",
				"description" : "",
				"type" : "ssh"
			}
		]
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1408719365
}

POST

Adds a Credential.

Request Parameters
Expand
{
	"name" : <string>,
	"tags" : <string> DEFAULT "",
	"description" : <string> DEFAULT "",
	"type" : <string> "database" | "windows" | "snmp" | "ssh"
	...
}

type is "database"

{
	...
	"login" : <string>,
	"password" : <string>,
	"port" : <string> (valid port number),
	"sid" : <string> DEFAULT "",
	"dbType" : <string>,
	
	dbType "Oracle"
	---------------
	"OracleAuthType" : <string>,
	dbType "Oracle"
	dbType "SQ: Server"
	-------------------
	"SQLServerAuthType" : <string>,
}

type is "ssh"

{
	...
	"username" : <string>,
	"authType" : <string> "certificate" | "cyberark" | "kerberos" | "password" | "publickey" | "thycotic"
	
	authType "certificate"
	---------------
	"publicKey" : <string>,
	"privateKey" : <string>,
	"passphrase" : <string> DEFAULT "",
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login"
	
	authType "cyberark"
	-------------------
	"vault_host" : <string> (valid IP or IP host),
	"vault_port" : <string> (valid port number),
	"vault_username" : <string> DEFAULT "",
	"vault_password" : <string> DEFAULT "",
	"vault_safe" : <string>,
	"vault_app_id" : <string>,
	"vault_policy_id" : <string> DEFAULT "",
	"vault_folder" : <string>,
	"vault_use_ssl" : <string> "false" | "true",
	"vault_verify_ssl" : <string> "false" | "true",
	"privilegeEscalation" : <string> "none" DEFAULT "none"
	
	authType "kerberos"
	-------------------
	"password" : <string>,
	"kdc_ip" : <string> (valid IP address),
	"kdc_port" : <string> (valid port number),
	"kdc_protocol" : <string>,
	"kdc_realm" : <string>,
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login"
	
	authType "password"
	-------------------
	"password" : <string>,
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login"
	
	authType "publickey"
	--------------------
	"privateKey" : <string>,
	"passphrase" : <string> DEFAULT "",
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login"
	
	authType "thycotic"
	--------------------
	"thycotic_secret_name" : <string>,
	"thycotic_url" : <string>,
	"thycotic_username" : <string>,
	"thycotic_password" : <string>,
	"thycotic_organization" : <string> DEFAULT "",
	"thycotic_domain" : <string> DEFAULT "",
	"thycotic_private_key " : <string> "no" | "yes",
	"thycotic_ssl_verify" : <string> "no" | "yes",
	"privilegeEscalation" : <string> "none" DEFAULT "none"
	
	privilegeEscalation ".k5login"
	-----------------------------
	"escalationUsername" : <string>
	
	privilegeEscalation "cisco"
	---------------------------
	"escalationPassword" : <string>
	
	privilegeEscalation "dzdo" and authType "certificate"
	-----------------------------------------------
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "dzdo" and authType "certificate"
	-----------------------------------------------
	"escalationUsername" : <string>,
	"escalationPassword" : <string>,
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "pbrun"
	---------------------------
	"escalationPassword" : <string>,
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "su+sudo"
	-----------------------------
	"escalationSuUser" : <string>,
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "su" | "sudo"
	---------------------------------
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
}

type is "snmp"

{
	...
	"communityString" : <string>
}

type is "windows"

{
	...
	"username" : <string>,
	"authType" : <string> "cyberark" | "kerberos" | "lm" | "ntlm" | "password" | "thycotic",
	
	authType "cyberark"
	-------------------
	"domain" : <string> DEFAULT "",
	"vault_host" : <string> (valid IP or IP host),
	"vault_port" : <string> (valid port number),
	"vault_username" : <string> DEFAULT "",
	"vault_password" : <string> DEFAULT "",
	"vault_safe" : <string>,
	"vault_app_id" : <string>,
	"vault_policy_id" : <string> DEFAULT "",
	"vault_folder" : <string>,
	"vault_use_ssl" : <string>,
	"vault_verify_ssl" : <string>
	
	authType "kerberos"
	-------------------
	"password" : <string>,
	"kdc_ip" : <string> (valid IP address),
	"kdc_port" : <string> (valid port number),
	"kdc_protocol" : <string>,
	"kdc_realm" : <string>
	
	authType "lm" | "ntlm" | "password"
	-----------------------------------
	"password" : <string>,
	"domain" : <string> DEFAULT ""
	
	authType "thycotic"
	-------------------
	"domain" : <string> DEFAULT "",
	"thycotic_secret_name" : <string>,
	"thycotic_url" : <string>,
	"thycotic_username" : <string>,
	"thycotic_password" : <string>,
	"thycotic_organization" : <string> DEFAULT "",
	"thycotic_domain" : <string> DEFAULT "",
	"thycotic_ssl_verify" : <string> "no" | "yes"
	"privilegeEscalation" : <string> "none" DEFAULT "none"
}
Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"id" : "1000009",
		"type" : "database",
		"name" : "'database' Test PATCH",
		"description" : "Manually inputted in data for use in testing",
		"tags" : "",
		"createdTime" : "1433187223",
		"modifiedTime" : "1433265608",
		"typeFields" : {
			"login" : "test",
			"password" : "SET",
			"sid" : "",
			"port" : "49",
			"dbType" : "Oracle",
			"oracleAuthType" : "test",
			"SQLServerAuthType" : ""
		},
		"groups" : [],
		"canUse" : "true",
		"canManage" : "true",
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1433279057
}

/credential/{id}

Methods
GET

Gets the Credential associated with {id}.

Fields Parameter
Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

NOTE: 'typeFields' returns type-specific parameters inside of a 'typeFields." It does not consider authType, privilegeEscalation, or dbType. If requested, typeFields returns as follows:

type"database": login, password, sid, port, dbType, oracleAuthType, SQLServerAuthType
type"ssh":
authType, username, password, publicKey, privateKey, passphrase, kdc_ip, kdc_port, kdc_protocol, kdc_realm, vault_host, vault_port, vault_username, vault_password, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, thycotic_secret_name, thycotic_url, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_private_key, thycotic_ssl_verify, privilegeEscalation, escalationUsername, escalationPassword, escalationSuUser, escalationPath
type"snmp": communityString
type"windows": authType, username, password, domain, kdc_ip, kdc_port, kdc_protocol, vault_host, vault_port, vault_username, vault_password, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, thycotic_secret_name, thycotic_url, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_ssl_verify

Allowed Fields

*id
**name
**description
**type
creator
groups

target
typeFields
tags
createdTime
modifiedTime
canUse
canManage

Session user role not "1" (Administrator)

owner
ownerGroup
targetGroup

Legend

* = always comes back

** = comes back if fields list not specified on GET all
Request Parameters

None

Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"id" : "1000009",
		"type" : "database",
		"name" : "'database' Test PATCH",
		"description" : "Manually inputted in data for use in testing",
		"tags" : "",
		"createdTime" : "1433187223",
		"modifiedTime" : "1433265608",
		"typeFields" : {
			"login" : "test",
			"password" : "SET",
			"sid" : "",
			"port" : "49",
			"dbType" : "Oracle",
			"oracleAuthType" : "test",
			"SQLServerAuthType" : ""
		},
		"groups" : [],
		"canUse" : "true",
		"canManage" : "true",
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1433279057
}

PATCH

Edits the Credential associated with {id}, changing only the passed in fields.

Request Parameters

Note #1: A Credential's 'type' parameter may not be modified, but 'authType' may be modified.

Note #2: When a Credential's authType, dbType, or privilegeEscalation parameters are modified, the parameters that no longer apply will be cleared by default.

Parameters that still may apply, however, are maintained by default. Either may be passed to override default, though fields that no longer apply would give an error.

i.e. If privilegeEscalation is modified from 'su' to 'pbrun', both 'escalationPassword', and 'escalationPath' apply and will be maintained. The escalationUsername parameter no longer applies, however, and will be cleared.

Note #3: When a password field is saved, the response will be a string "SET". During PATCH, however, "SET" should not be passed back, or it will be considered to be the new password.

(All fields are optional)

See /credential::POST for parameters.

Example Response
See /credential/{id}::GET